Description of problem: sys_mq_open and sys_mq_unlink's u_name argument (arg0) is being recorded incorrectly in the audit log. The value is seemingly off by 1 (+1) in the audit log. Version-Release number of selected component (if applicable): This is taking place on the lspp.57 kernel. How reproducible: See test.c Steps to Reproduce: 1. auditctl -a entry,always -S mq_open 2. auditctl -a entry,always -S mq_unlink 3. Execute attached testcase and compare against audit log. Actual results: >>> Actual Record (fields relevant to syscall) Time 1165854560 - Serial_No 208 SYSCALL: arch=c000003e syscall=241 success=yes exit=0 a0=411921 a1=7fff7c9f81f0 a2=457d875f a3=8 ppid=1703 pid=2269 auid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023 key=(null) Expected results: >>> Expected Record (fields relevant to syscall) SYSCALL: arch=c000003e syscall=241 success=yes exit=0 a0=411920 a1=7fff7c9f81f0 a2=457d875f a3=8 ppid=1703 pid=2269 auid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 subj=abat_u:abat_r:abat_t:s0-s15:c0.c1023 key=(null)
Created attachment 143346 [details] Testcase
The mq_open / mq_unlink problem (audit record == pointer + 1) is due to the way glibc implements mq_open, and is not a kernel bug. From ./sysdeps/unix/sysv/linux/mq_open.c in GLibc... mqd_t mq_open (const char *name, int oflag, ...) { if (name[0] != '/') { __set_errno (EINVAL); return -1; } [...] return INLINE_SYSCALL (mq_open, 4, name + 1, oflag, mode, attr); } ...as you can see, when the API is passed "/foo" glibc removes the / giving the kernel just "foo".
I am going to close this as not a bug since its an explained condition.